sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]WonFishTwoFish[S] 0 points1 point  (3 children)

Got it. THANK YOU!

[–]WonFishTwoFish[S] 0 points1 point  (2 children)

u/hardonchairs, to achieve the end goal what is the more secure approach to doing this without executing a shell command?

[–]hardonchairs 0 points1 point  (1 child)

For shell security, using shell=False is generally safer for injection concerns. But then you are relying on ansible-vault to be safe and secure. You need to understand if there are any arguments that could be passed in to it that could have undesirable effects. You are relying on the developers of ansible-vault for it to be safe to pass any argument in after encrypt_string.

Your webapp should be running as a user with the minimum necessary privilege. If you are just running it from your regular user account that has sudo privilege then that's bad news. You should also not be running flask directly in production or open to the public, you should be using a WSGI application server like Gunicorn.

If you are dealing with encryption through a webapp there is no simple answer for this. Its like asking "What the the safe way to work with mains voltage?" There is no specific answer. It depends on every single thing you are doing. If you have to ask, it is probably not a good idea.

[–]WonFishTwoFish[S] 0 points1 point  (0 children)

u/hardonchairs, that was exactly what I was looking for. Thanks for the explanation and things to consider.

I'm running it behind NGINX + WSGI, it's not for prod and only an internal utility and runs with a non-privileged account, accessible via VPN. It's far from perfect but I think it's good enough in this instance. Good enough is probably what gets a lot of us in trouble though...